Etiqueta: Practitioner

Bypassing GraphQL brute force protections

Descripción The user login mechanism for this lab is powered by a GraphQL API. The API endpoint has a rate limiter that returns an error if it receives too many requests from the same origin in a short space of time. To solve the lab, brute force the login mechanism to sign in as carlos. Use […]

Finding a hidden GraphQL endpoint

Descripción The user management functions for this lab are powered by a hidden GraphQL endpoint. You won’t be able to find this endpoint by simply clicking pages in the site. The endpoint also has some defenses against introspection. To solve the lab, find the hidden endpoint and delete carlos. Learn more about Working with GraphQL in Burp […]

OAuth account hijacking via redirect_uri

Descripción This lab uses an OAuth service to allow users to log in with their social media account. A misconfiguration by the OAuth provider makes it possible for an attacker to steal authorization codes associated with other users’ accounts. To solve the lab, steal an authorization code associated with the admin user, then use it […]

Forced OAuth profile linking

Descripción This lab gives you the option to attach a social media profile to your account so that you can log in via OAuth instead of using the normal username and password. Due to the insecure implementation of the OAuth flow by the client application, an attacker can manipulate this functionality to obtain access to […]

SSRF via OpenID dynamic client registration

Descripción This lab allows client applications to dynamically register themselves with the OAuth service via a dedicated registration endpoint. Some client-specific data is used in an unsafe way by the OAuth service, which exposes a potential vector for SSRF. To solve the lab, craft an SSRF attack to access http://169.254.169.254/latest/meta-data/iam/security-credentials/admin/ and steal the secret access key for […]

Password brute-force via password change

Descripción This lab’s password change functionality makes it vulnerable to brute-force attacks. To solve the lab, use the list of candidate passwords to brute-force Carlos’s account and access his «My account» page. Password brute-force via password change writeup Entramos al laboratorio, vamos a ‘My account’ e iniciamos sesión con el usuario ‘wiener’ y la contraseña […]

Password reset poisoning via middleware

Descripción This lab is vulnerable to password reset poisoning. The user carlos will carelessly click on any links in emails that he receives. To solve the lab, log in to Carlos’s account. You can log in to your own account using the following credentials: wiener:peter. Any emails sent to this account can be read via the email client […]

Offline password cracking

Descripción This lab stores the user’s password hash in a cookie. The lab also contains an XSS vulnerability in the comment functionality. To solve the lab, obtain Carlos’s stay-logged-in cookie and use it to crack his password. Then, log in as carlos and delete his account from the «My account» page. Offline password cracking writeup Este laboratorio es idéntico […]

Brute-forcing a stay-logged-in cookie

Descripción This lab’s two-factor authentication is vulnerable due to its flawed logic. To solve the lab, access Carlos’s This lab allows users to stay logged in even after they close their browser session. The cookie used to provide this functionality is vulnerable to brute-forcing. To solve the lab, brute-force Carlos’s cookie to gain access to […]

2FA broken logic

Descripción This lab’s two-factor authentication is vulnerable due to its flawed logic. To solve the lab, access Carlos’s account page. You also have access to the email server to receive your 2FA verification code. 2FA broken logic writeup Realizaremos un inicio de sesión, capturando las siguientes peticiones en el ‘Logger’. La petición de solicitar un […]